package com.systar.activity.report;

import org.junit.Assert;
import org.junit.Test;

import com.systar.activity.report.RequestHelper;

public class RequestHelperTest
{

	@Test
	public void testNoInjection()
	{
		Assert.assertFalse(RequestHelper.detectScriptInjection("toto"));
		Assert.assertFalse(RequestHelper.detectSqlInjection("toto"));
	}

	@Test
	public void testJavascriptInjection()
	{
		Assert.assertTrue(RequestHelper.detectScriptInjection("'toto'+'javascript: redirecturl=\"www\"'"));
	}

	@Test
	public void testScriptInjection()
	{
		Assert.assertTrue(RequestHelper.detectScriptInjection("'toto'+'<script type=\"text/javascript\">var toto;</script>'"));
	}

	@Test
	public void testEvalInjection()
	{
		Assert.assertTrue(RequestHelper.detectScriptInjection("'toto'+'eval(\"10+10\")'"));
	}

	@Test
	public void testSelectInjection()
	{
		// when sql structure is known, it is possible to inject sql instead of value
		// for example for parameter userId
		Assert.assertTrue(RequestHelper.detectSqlInjection("(select min(UserId) from DB_USERS where Role='Administrator') "));
	}

	@Test
	public void testUpdateInjections()
	{
		// when sql structure is known, it is possible to concat modification queries
		Assert.assertTrue(RequestHelper.detectSqlInjection("0; delete from DB_USERS where Role='Administrator' "));
		Assert.assertTrue(RequestHelper.detectSqlInjection("0; insert into DB_USERS values (10000,'toto','Administrator') "));
		Assert.assertTrue(RequestHelper.detectSqlInjection("0; Update DB_USERS set Role='Administrator' "));
	}
}
